<!DOCTYPE html>
<html prefix="
og: http://ogp.me/ns#
article: http://ogp.me/ns/article#
" lang="zh_cn">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width">
<title>自建https站点 | vincent blog</title>
<link href="../../assets/css/all-nocdn.css" rel="stylesheet" type="text/css">
<link rel="alternate" type="application/rss+xml" title="RSS" href="../../rss.xml">
<link rel="canonical" href="https://wisonwang.github.io/posts/zi-jian-httpszhan-dian/">
<!--[if lt IE 9]><script src="/assets/js/html5.js"></script><![endif]--><meta name="author" content="vincent wang">
<meta property="og:site_name" content="vincent blog">
<meta property="og:title" content="自建https站点">
<meta property="og:url" content="https://wisonwang.github.io/posts/zi-jian-httpszhan-dian/">
<meta property="og:description" content="现在https已经成为web服务的标配了，由于完整的https部署流程需要一系列的备案申请ca的一些过程，
不适合开发人员调试https服务功能，这样创建自授权的https就很有用了。



（注：自授权的证书不会被浏览器识别为可信的证书，可以在系统中添加该ca证书为可信证书即可）



如下介绍创建自授权的https站点流程，以nginx配置为例：





生成证书

sudo openssl">
<meta property="og:type" content="article">
<meta property="article:published_time" content="2019-10-09T15:05:23+08:00">
</head>
<body>
    <section class="social"><ul>
<li><a href="../../index.html" title="Home"><i class="icon-home"></i></a></li>
            <li><a href="../../archive.html" title="文章存档"><i class="icon-archive"></i></a></li>
            <li><a href="../../categories/" title="标签"><i class="icon-tags"></i></a></li>
            <li><a href="../../pages/about" title="About"><i class="icon-about"></i></a></li>
            <li><a href="../../rss.xml" title="RSS 源"><i class="icon-rss"></i></a></li>
            <li><a href="https://twitter.com/wisonwang" title="My Twitter"><i class="icon-twitter"></i></a></li>
            <li><a href="https://github.com/wisonwang" title="My Github"><i class="icon-github"></i></a></li>

        </ul></section><section class="page-content"><div class="content" rel="main">
    <div class="post">
        <h1 class="p-name entry-title" itemprop="headline name">自建https站点</h1>

        <div class="meta">
            <div class="authordate">
                <time class="timeago" datetime="2019-10-09T15:05:23+08:00">2019-10-09 15:05</time>
            
                      |  
        <a href="index.org" id="sourcelink">源代码</a>

            </div>
            
        </div>
        <div class="body">
            <p>
现在https已经成为web服务的标配了，由于完整的https部署流程需要一系列的备案申请ca的一些过程，
不适合开发人员调试https服务功能，这样创建自授权的https就很有用了。
</p>

<p>
（注：自授权的证书不会被浏览器识别为可信的证书，可以在系统中添加该ca证书为可信证书即可）
</p>

<p>
如下介绍创建自授权的https站点流程，以nginx配置为例：
</p>

<!-- TEASER_END -->

<div id="outline-container-org68f7571" class="outline-2">
<h2 id="org68f7571">生成证书</h2>
<div class="outline-text-2" id="text-org68f7571">
<div class="highlight"><pre><span></span>sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
</pre></div>


<p>
其他配置可以随便写，但是Common Name必须是需要的域名.
</p>
</div>
</div>

<div id="outline-container-org1f58fa1" class="outline-2">
<h2 id="org1f58fa1">配置nginx</h2>
<div class="outline-text-2" id="text-org1f58fa1">
</div>
<div id="outline-container-org64b950d" class="outline-3">
<h3 id="org64b950d">配置/etc/nginx/snippets/self-signed.conf</h3>
<div class="outline-text-3" id="text-org64b950d">
<p>
添加如下内容:
</p>

<div class="highlight"><pre><span></span>ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
</pre></div>
</div>
</div>

<div id="outline-container-orgbbff576" class="outline-3">
<h3 id="orgbbff576">配置/etc/nginx/snippets/ssl-params.conf</h3>
<div class="outline-text-3" id="text-orgbbff576">
<p>
添加内容：
</p>

<div class="highlight"><pre><span></span>ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1; # Requires nginx &gt;= 1.1.0
ssl_session_timeout  10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx &gt;= 1.5.9
# ssl_stapling on; # Requires nginx &gt;= 1.3.7
# ssl_stapling_verify on; # Requires nginx =&gt; 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
</pre></div>
</div>
</div>

<div id="outline-container-orga445216" class="outline-3">
<h3 id="orga445216">生成dhparam</h3>
<div class="outline-text-3" id="text-orga445216">
<div class="highlight"><pre><span></span>openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
</pre></div>
</div>
</div>


<div id="outline-container-org0addb36" class="outline-3">
<h3 id="org0addb36">配置nginx站点</h3>
<div class="outline-text-3" id="text-org0addb36">
<p>
以example.com域名为例子：
</p>


<div class="highlight"><pre><span></span>vi /etc/nginx/sites-available/www.example.com
</pre></div>

<p>
输入以下内容:
</p>

<div class="highlight"><pre><span></span>server {
    listen 443 ssl;
    listen [::]:443 ssl;
    include snippets/self-signed.conf;
    include snippets/ssl-params.conf;

    server_name example.com www.example.com;

    root /var/www/example.com/html;
    index index.html index.htm index.nginx-debian.html;

}

server {
    listen 80;
    listen [::]:80;

    server_name example.com www.example.com;

    return 302 https://$server_name$request_uri;
}
</pre></div>

<p>
链接到site-enable文件夹下:
</p>

<div class="highlight"><pre><span></span>ln -s /etc/nginx/sites-available/www.example.com /etc/nginx/sites-enabled/
</pre></div>

<p>
重启nginx服务，完工:
</p>

<div class="highlight"><pre><span></span>systemctl restart nginx
</pre></div>
</div>
</div>
</div>
        </div>
                <ul class="pager hidden-print">
<li class="previous">
                <a href="../python-meta-class/" rel="prev" title="python meta class">前一篇</a>
            </li>
            <li class="next">
                <a href="../python-grpc-shi-yong/" rel="next" title="python grpc 使用">后一篇</a>
            </li>
        </ul>
<div id="disqus_thread"></div>
        <script>
        var disqus_shortname ="wisonwanghomepage",
            disqus_url="https://wisonwang.github.io/posts/zi-jian-httpszhan-dian/",
        disqus_title="\u81ea\u5efahttps\u7ad9\u70b9",
        disqus_identifier="cache/posts/zi-jian-httpszhan-dian.html",
        disqus_config = function () {
            this.language = "zh_cn";
        };
        (function() {
            var dsq = document.createElement('script'); dsq.async = true;
            dsq.src = 'https://' + disqus_shortname + '.disqus.com/embed.js';
            (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(dsq);
        })();
    </script><noscript>Please enable JavaScript to view the <a href="https://disqus.com/?ref_noscript" rel="nofollow">comments powered by Disqus.</a>
</noscript>
    <a href="https://disqus.com" class="dsq-brlink" rel="nofollow">Comments powered by <span class="logo-disqus">Disqus</span></a>


    </div>
                     <footer id="footer"><p>Contents © 2020         <a href="mailto:fangfu2012@gmail.com">vincent wang</a> - Powered by         <a href="https://getnikola.com" rel="nofollow">Nikola</a>         </p>
            
        </footer>
</div>
    </section><script src="../../assets/js/all-nocdn.js" type="text/javascript"></script><script type="text/javascript" src="https://cdn.mathjax.org/mathjax/latest/MathJax.js?config=TeX-AMS-MML_HTMLorMML"> </script><script type="text/x-mathjax-config">
    MathJax.Hub.Config({tex2jax: {inlineMath: [['$latex ','$'], ['\\(','\\)']]}});
    </script><script type="text/javascript">
            $(function(){
                $('.timeago').timeago();
            });
        </script>
</body>
</html>
